Insurer Won't Pay for Breach

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.insurancenetworking.com/news/insurance_technology_risk_claims_data_security_breach-24974-1.html

The verdict could have far-reaching ramifications for organizations
seeking reimbursement for costs related to mitigating data breaches.

Two years ago, back-up tapes for the University of Utah Hospitals and
Clinics were stolen from the private vehicle of an employee of a
secure storage company called Perpetual Storage. The tapes contained
protected health information for 1.7 million patients over a period of
16 years, including Social Security numbers for 1.1 million. Now, the
insurer of Perpetual Storage is claiming it is under no obligation to
cover the company's liabilities. A ruling in favor of the insurer
could have a chilling affect on other provider organizations seeking
financial reimbursement for costs related to mitigating data breaches.

The Colorado Casualty Insurance Co. is asking the U.S. District Court
in Utah to declare that its policies do not provide coverage for the
claims made against Perpetual Storage by the university. The insurer
also seeks court judgment that it is not obligated to pay any award of
damages against Perpetual Storage and has no obligation to defend the
company against claims made by the university.

In a seven-page Complaint for Declaratory Judgment, Colorado Casualty
notes it issued a commercial package policy and a commercial liability
umbrella policy to Perpetual Storage, with terms running from May 31,
2008, to May 31, 2009. The university's backup tapes were stolen on
June 1, 2008, a day after the policies went into effect. The insurer
claims it is not obligated under its policies to cover, pay or protect
Perpetual Storage.

The insurer's sole explanation for its position reads as follows: "A
justiciable controversy exists as to whether or not Colorado
Casualty's Policies provide coverage for the claims made by the
University against Perpetual Storage and, therefore, Colorado Casualty
does hereby request that this Court exercise its jurisdiction under 28
U.S.C., sec. 2201 et seq., the Federal Declaratory Judgment Act, to
adjudicate and declare Colorado Casualty's obligations under the
Colorado Casualty Policies."

An attorney for Colorado Casualty did not return a telephone call
asking for comment.

The university has filed an answer to Colorado Casualty's complaint,
was well as countersuing the insurer and Perpetual Storage. The
university claims Colorado Casualty's claims of no obligation are
barred by a number of legal doctrines, by the provisions of the
contracts of insurance, and by the insurer's own negligence and/or
breaches of contract, among other arguments.

The university notes that it has incurred damages totaling
approximately $3,354,753 resulting from the theft: $2,483,057 for
credit monitoring expenses, $646,149 in printing and mailing costs,
$81,389 in phone bank costs, and $144,158 in additional miscellaneous
costs. The university's court filing details multiple violations of
security policies that resulted in the theft and demands that
Perpetual Storage reimburse its costs.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php